feat: enhance CORS configuration with customizable headers and methods

2026-03-12 19:44:31 +01:00
parent 01f4bc2ce9
commit 8069b7019a
7 changed files with 170 additions and 40 deletions
--- a/README.md
+++ b/README.md
@@ -49,6 +49,41 @@ docker run -p 8080:8080 -e hapi.fhir.default_encoding=xml hapiproject/hapi:lates

 HAPI looks in the environment variables for properties in the [application.yaml](https://github.com/hapifhir/hapi-fhir-jpaserver-starter/blob/master/src/main/resources/application.yaml) file for defaults.

+### CORS configuration (including ETag/If-Match)
+
+The starter CORS configuration now supports the following configurable keys:
+
+- `hapi.fhir.cors.allowed_origin`
+- `hapi.fhir.cors.allow_Credentials`
+- `hapi.fhir.cors.allowed_headers`
+- `hapi.fhir.cors.exposed_headers`
+- `hapi.fhir.cors.allowed_methods`
+
+Defaults include `If-Match` in allowed headers and `ETag` in exposed headers to support browser-based optimistic locking workflows.
+The `allowed_headers`, `exposed_headers`, and `allowed_methods` keys are optional; if omitted, built-in defaults are applied.
+
+Example override file:
+
+```yaml
+hapi:
+  fhir:
+    cors:
+      allowed_origin:
+        - "http://localhost:3000"
+      allowed_headers:
+        - Origin
+        - Accept
+        - Content-Type
+        - Authorization
+        - Cache-Control
+        - If-Match
+        - If-None-Match
+      exposed_headers:
+        - Location
+        - Content-Location
+        - ETag
+```
+
 ### Binary storage configuration

 To stream large `Binary` payloads to disk instead of the database, configure the starter with filesystem storage properties: